Reported September 3, 2003, by Microsoft.

 

VERSIONS AFFECTED

 

  • Microsoft Visual Basic for Applications (VBA) SDK 6.3, 6.2, 6.0, and 5.0
  • Microsoft Access 2002, 2000, and 97
  • Microsoft Excel 2002, 2000, and 97
  • Microsoft PowerPoint 2002, 2000, and 97
  • Microsoft Project 2002 and 2000
  • Microsoft Publisher 2002
  • Microsoft Visio 2002 and 2000
  • Microsoft Word 2002, 2000, 98, and 97
  • Microsoft Works Suite 2003, 2002, and 2001
  • Microsoft Business Solutions Great Plains 7.5
  • Microsoft Business Solutions Dynamics 7.0 and 6.0
  • Microsoft Business Solutions eEnterprise 7.0 and 6.0
  • Microsoft Business Solutions Solomon 5.5, 5.0, and 4.5

 DESCRIPTION

 

A vulnerability in Visual Basic for Applications can result in the execution of arbitrary code on the vulnerable system. This vulnerability stems from a flaw in the way Microsoft Visual Basic for Applications (VBA) checks document properties passed to it when the host application opens a document. The resulting buffer overrun can permit an attacker to execute code of his or her choice under the logged-on user's security context.

 

VENDOR RESPONSE 

Microsoft has released Security Bulletin MS03-037, "Flaw in Visual Basic for Applications Could Allow Arbitrary Code Execution (822715)," to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in the bulletin.

CREDIT

Discovered by eEye Digital Security.